Action _*is required of you*_
Read the post...
http://www.dslreports.com/forum/remark,16250999~mode=flat
We do Not Do HijackThis Log Analysis (here) - we direct users to:
appropriate Expert Forums for log file analysis.
Silj
--
siljaline
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
<kom...@yahoo.com> wrote in message
news:1149635875....@h76g2000cwa.googlegroups.com...
***I APOLOGIZE WITH ALL REVERENCE TO THE CHARTER, BUT WE'LL ALL GET
THROUGH THIS***
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\kbdtuq.exe
C:\WINDOWS\system32\mp43dmod.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pixmantec\RawShooter premium 2006 1.0\RawShooter.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe
R3 - Default URLSearchHook is missing
F2 - REG:system.ini:
UserInit=C:\WINDOWS\system32\userinit.exe,kmqrhwt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object -
{E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program
Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe
/autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [inetmib1] "C:\WINDOWS\system32\inetmib1.exe"
O4 - HKCU\..\Run: [msrd2x40] "C:\WINDOWS\system32\msrd2x40.exe"
O4 - HKCU\..\Run: [adistres] "C:\WINDOWS\system32\adistres.exe"
O4 - HKCU\..\Run: [kbdtuq] C:\WINDOWS\system32\kbdtuq.exe
O4 - HKCU\..\Run: [mp43dmod] C:\WINDOWS\system32\mp43dmod.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk
TransferMate\SD Monitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner -
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
Before you run those have HJT fix the following lines by placing a check in
the box next to each line then click on the fix checked button on the
bottom.
R3 - Default URLSearchHook is missing
F2 - REG:system.ini:
UserInit=C:\WINDOWS\system32\userinit.exe,kmqrhwt.exe
O4 - HKCU\..\Run: [inetmib1] "C:\WINDOWS\system32\inetmib1.exe"
O4 - HKCU\..\Run: [msrd2x40] "C:\WINDOWS\system32\msrd2x40.exe"
O4 - HKCU\..\Run: [adistres] "C:\WINDOWS\system32\adistres.exe"
O4 - HKCU\..\Run: [kbdtuq] C:\WINDOWS\system32\kbdtuq.exe
O4 - HKCU\..\Run: [mp43dmod] C:\WINDOWS\system32\mp43dmod.exe
Run Killbox then copy and paste the lines below into killbox and select the
red X to delete them.
C:\WINDOWS\system32\kbdtuq.exe
C:\WINDOWS\system32\mp43dmod.exe
C:\WINDOWS\system32\inetmib1.exe
C:\WINDOWS\system32\msrd2x40.exe
C:\WINDOWS\system32\adistres.exe
Next move the HJT file from your temp folder and place it on your desktop.
Run Crap cleaner using the default settings. Run Ewido update it first and
delete what ever it finds. Download the lateset version of java from here
http://www.java.com . Run HJT again and post another log file. Also post the
log from Ewido. When you post your new HJT log please post the complete log.
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
<kom...@yahoo.com> wrote in message
news:1149645677.0...@g10g2000cwb.googlegroups.com...
That's pretty rude to just blatently post your log here when you were
asked politely not to and pointed directly to other groups that would
help you. It looks like you don't even have SUPERAntiSpyware installed,
which would have cleaned up your machine. We do have those processes
defined in our rules set.
I would be careful with the advice you get from people that are *not*
technical experts, nor experts in the spyware field, or you will likely
be reformatting your system if you remove critical components.
Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
"Nick Skrepetos" <nskre...@yahoo.com> wrote in message
news:1149650776....@g10g2000cwb.googlegroups.com...
>Ok now follow these instructions.
DO NOT download anything from pcbuttmunches theftware site. The files
that he has stolen and placed on his site cannot be trusted. There is
a very good chance that you will end up with a key-logger or worse if
you follow the bozos advice and use software from his site.
"pcbutts1" <pcbu...@seedsv.com> wrote in message
news:_c-dnfoK7tjJ1RvZ...@giganews.com...
PCButts - why do you take every warning about non-technical people as
an insult towards yourself? I am simply warning the user to make sure
that the advice they get is sound so they don't destroy their systems.
People here may not be HTJ experts.
You do what you need to do - your threat is on record. I do not attack
you personally, nor post anything about you - so do whatever it is you
feel you need to do.
I am a professional, running a professional company - I create software
and help users - that's what I do and that's what I will continue to
do.
I uninstalled it. It didn't do anything. To be fair, neither did the
process that guy ran me through.
Anyway, I was pointed to groups that I went to and tried multiple times
to post to, but the posts were removed, even when I corrected them. I
am in dire ned of getting this shit off of my machine, and if posting a
small text file to a Usenet newsgroup can help, I will be out of your
hair momentarily. Now...can you help me or not? I tried your
software, if you are behind it, drop me an email.
I posted the Diagnostic link several times in the other thread. If you
care to run it, I can take a look.
On a side note (and not directed necessarily at you) - It's interesting
how demanding people are even when getting help for free. I wonder why
people don't respect the knowledge and skill level that is required to
be able to create these anti-spyware products.
Isn't it worth something to have this stuff removed by an expert? Just
curious.....
> Are you going to start up with me again Nick? What I did last time
> was nothing.
******************Reply Separator*****************
You should go buy a van.
max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236
You did something? Must have been "nothing".
Wow, Butts told the truth about something. WOW. Calender marking time.
Leythos wrote:
> In article <1149645677.0...@g10g2000cwb.googlegroups.com>,
> kom...@yahoo.com says...
> > ***I APOLOGIZE WITH ALL REVERENCE TO THE CHARTER, BUT WE'LL ALL GET
> > THROUGH THIS***
>
> So you understand the charter, understand that you are in the wrong,
> understand that you get faster help via the official HJ forums,
> understand that Butts is only going to post your logs to them and then
> report back here with a fix since he doesn't have any technical skills
> that anyone has been able to idenfity, and you still post your dang
> logs!
>
> What a lamer.
>
> --
>
> spam9...@rrohio.com
> remove 999 in order to email me
> There he is once again, escaped from my killfile.
Yeah. Did you notice where the post came from?
http://www.dnsstuff.com/tools/whois.ch?ip=192.91.171.42
..and using a gmail address and Google Groups. Perhaps Buttface's other
account was closed for abuse. <lol>
--
-bts
-Warning: I brake for lawn deer
-Nick
> I posted the Diagnostic link several times in the other thread. If you
> care to run it, I can take a look.
>
> On a side note (and not directed necessarily at you) - It's interesting
> how demanding people are even when getting help for free. I wonder why
> people don't respect the knowledge and skill level that is required to
> be able to create these anti-spyware products.
>
> Isn't it worth something to have this stuff removed by an expert? Just
> curious.....
Say what you will about the guy, I don't know him or you or anyone else
in this group, however he stepped up, tried to help, has sent me emails
and actions speak far louder than words, my friend. I asked you the
same thing, and all you want me to do is re-install your software and
run your program again when it never worked in the first place.
On a side note (definitely directed at you), no expert has helped me
for free as of yet. Your software didn't work, I don't want to
reinstall it, you've seen the log, and you simply pawn it off as me
being demanding. Show me some "knowledge and skill", 'cause your
software showed me nothing.
To answer your question: Hell yes! It is worth something to have this
stuff removed. when that happens, I'll toot your horn, send you a
card, buy you lunch. But it hasn't happened, and all the talk inthe
world won't change that. I once again ask you - email me and let's
talk, despite what you may think, I am a reasonable person, I will give
you the cahnce to help me. And if you do, Iwill come on this
newsgroup, aplogize humbly, loudly and extremely publicly. But until
and unless you do that, you're just a blowhard, dude.
I have asked you no less than 4 times to click the diagnostic link I
provided in the other thread, and yet you can't seem to click it. The
HTJ log does NOT SHOW all the locations that spyware infests. Why do I
know this? Because I am an expect in this field - and deal with these
issues on a dialy basis - that's why I have asked you to click the link
and send a diagnostic - but yet no diagnostic.
I'll try again - CLICK THE LINK BELOW ON THE INFECTED COMPUTER
http://www.superantispyware.com/diagnostic.html?id=nicks
As for the "blowhard" comment - why don't you look around the groups
and webs and see how many references to my software SUPERAdBlocker and
SUPERAntiSpyware there are - I am sure over 300,000 references are
indication of a blowhard.
Good luck with your spyware infection.
> I'll try again - CLICK THE LINK BELOW ON THE INFECTED COMPUTER
> http://www.superantispyware.com/diagnostic.html?id=nicks
I will absolutely take you up on it. You got it. Thanks for the
opportunity.
> As for the "blowhard" comment - why don't you look around the groups
> and webs and see how many references to my software SUPERAdBlocker and
> SUPERAntiSpyware there are - I am sure over 300,000 references are
> indication of a blowhard.
There are a lot of people in this world who swear drinking your own
piss is good for you, but I'm not prone to believe them.
> Good luck with your spyware infection.
If you get this done, I will eat humble pie, I promise you that. Let
me just say that the previous guy's procedure _did_ get the embedded
URL/banner/whatever off of my desktop - the pop ups are still coming,
but the most alarming piece is gone. Anyway, I'll do what you asked.
No need to keep hamemring this out - I did your diagnostic test, I will
wait to hear from you. Thanks - Ben
I sent you the logs in email...
>There are a lot of people in this world who swear drinking your own
>piss is good for you, but I'm not prone to believe them.
Yet you believed a software pirate that sent you an email in response
to your demand for free help? LMAO! It's no wonder you're too stupid
to figure out how to keep from being infected,
I received your diagnostic. It looks like you didn't update your rules
when you scanned with SUPERAntiSpyware or it would have removed the
problem. If you re-install SUPERAntiSpyware and update the rules and
make sure you have core rules version 2969 or greater, and trace 1069
or greater, then perform the scan, removal and reboot, the problem will
be solved. After you reboot, if your desktop background is incorrect,
or white, open SUPERAntiSpyware, go to Preferences, select the Repairs
tab and then execute the "Reset Desktop Components" repair and reboot
you will be all set.
The problem file is:
c:\Program Files\Google\nicobitop.html
Classic desktop hi-jacker. We usually only see these on Warez/Serial
and Extreme Fetish/Beastality Adult Pornography sites - they are
probably other places also, so, in the future be careful of those types
of sites as they really install some nasty stuff.
After you run SUPERAntiSpyware and the problem is fixed - I look
forward to having you as a customer!
PCButts - why didn't you spot that file?
> Classic desktop hi-jacker. We usually only see these on Warez/Serial
> and Extreme Fetish/Beastality Adult Pornography sites -
I will have to talk to the wife about all this. I guess this donkey
dick isn't enough for her...
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
"Nick Skrepetos" <nskre...@yahoo.com> wrote in message
news:1149722384.8...@h76g2000cwa.googlegroups.com...
>In article <1149715085.8...@u72g2000cwu.googlegroups.com>,
>pcbu...@gmail.com says...
>> Yea you wish it was don't you? I'm traveling at the moment, Going to
>> Ohio to track down my stalker Leythos. My account is fine sorry to
>> disappoint you.
>
>Bring it on little boy, there isn't anything posted here, in any threat
>that you can even prove is stalking. Don't forget, I work with LE out
>here from time to time and I know what the limits are, and you're the
>only one that has crossed them.
I find it laughable that he claims that you are his stalker while he
says that he is going to a state that he thinks that you live in to
stalk you.
Obviously not a smart person.
> snip <
> the pop ups are still coming,
> snip <
******************Reply Separator*****************
Are you using a router w/firewall?
Have you turned off windows messenger?
By the way...Super Ad Blocker works pretty good with IE6 and Firefox. IMHO.
There are some issues when using IE7 beta but it is beta so it's to be
expected.
Fitz
--
***
NEVER download files from anywhere unless it is from the website of the
developer, manufacturer or some entity that you trust. Developer websites
ALWAYS have the most up to date files that haven't been tampered with by
some third party who is "hosting" (read Leeching or Stealing) those files
without permission. Never open email attachments from people you don't
know. It's called Safe Hex.
***
"Nick Skrepetos" <nskre...@yahoo.com> wrote in message
news:1149704612.4...@j55g2000cwa.googlegroups.com...
We have a new releaes of Super Ad Blocker coming out next week that
resolves all the issues with IE 7 and the newer builds of Firefox.
--
***
NEVER download files from anywhere unless it is from the website of the
developer, manufacturer or some entity that you trust. Developer websites
ALWAYS have the most up to date files that haven't been tampered with by
some third party who is "hosting" (read Leeching or Stealing) those files
without permission. Never open email attachments from people you don't
know. It's called Safe Hex.
***
"Nick Skrepetos" <nskre...@yahoo.com> wrote in message
news:1149834441.7...@g10g2000cwb.googlegroups.com...
> PCButts - why didn't you spot that file?
(He isn't old enough to be interested in women?)